Apparatus and method for authenticating the dispatch and contents of documents

ABSTRACT

Apparatus and method for authenticating that a sender has sent certain information via a dispatcher to a recipient is disclosed. The method includes the steps of: (a) providing a set A comprising a plurality of information elements a1, . . . an, said information element a1 comprising the contents of said dispatched information, and said one or more information elements a2, . . . an comprising dispatch-related information and comprise at least the following elements: a2—a time indication associated with said dispatch; and a3—information describing the destination of said dispatch, and wherein at least one of said information elements is provided in a manner that is resistant or indicative of tamper attempts by said sender, (b) associating said dispatch-related information with said element at by generating authentication-information, in particular comprising a representation of at least said elements a1, a2 and a3, said representation comprising a set of one or more elements, each comprising a representation of one or more elements of said set A; (c) securing at least part of said authentication-information against undetected tamper attempts of at least said sender. The dispatch relates either to transmission or to manual delivery. The apparatus implements the operations of the method.

FIELD OF THE INVENTION

The present invention relates to a method and apparatus forauthenticating the dispatch and the contents of dispatched informationin general.

BACKGROUND OF THE INVENTION

Post, courier, forwarding and other mail services, which enable peopleto exchange documents and data, have been widely used both in the pastand at the present time. With the evolution of modern technology, theuse of electronic dispatch devices and systems, such as modems,facsimile machines, electronic mail (E-Mail) and EDI systems, computers,communication networks, and so forth, to exchange data and documents israpidly evolving.

A substantial quantity of the information exchanged, such as contracts,purchase orders, invoices, monetary orders, notices, and even warningand notification messages, are of utmost importance. Sometimes, when adispute arises between the sending and receiving party of the exchangedinformation, the receiving party may raise the claim that he neverreceived the information, that the received information was differentfrom what the sender claims to have sent, or the receiving party mayeven attempt to forge the received information.

The need, therefore, arises for the sender to prove that specificinformation has been sent at a specific time to that specific receivingparty.

Various solutions to various related problems have been proposed in theliterature. For example, the transmission operation itself may beauthenticated, as shown in U.S. Pat. No. 5,339,361 (Schwalm et al.),which describes a communication system providing a verification systemto identify both the sender and recipient of electronic information aswell as an automatic time stamp for delivery of electronic information.This patent, however, does not verify the dispatched information.

Document authentication methods, for example by notarization, have longbeen in use. A method for notarization of electronic data is provided byEP-A-516 898 (PITNEY BOWES INC.) or its patent family member U.S. Pat.No. 5,022,080 (Durst et al.) which authenticates that source data hasnot been altered subsequent to a specific date and time. The methoddisclosed includes mathematically generating a second unit of data fromthe first unit of data, as by CRC generation, parity check or checksum.The second unit of data is then encrypted together with a time/dateindication, and optionally with other information to form anauthentication string. Validation that the first unit of data has notbeen changed is provided by comparing the original data's authenticationstring with the authentication string generated from the data and timein question. A method is even suggested for having the recipient verifythe authenticity of the sender, the time of transmission and the data.

Other patents which discuss document authentication are U.S. Pat. Nos.5,136,646 and 5,136,647 both to Haber et al. According to these patents,a unique digital representation of the document (which is obtained bymeans of a one-way hash function) is transmitted to an outside agency,where the current time is added to form a receipt. According to U.S.Pat. No. 5,136,647, the receipt is certified using a cryptographicdigital signature procedure, and is optionally linked to othercontemporary such receipts thereby fixing the document's position in thecontinuum of time. According to U.S. Pat. No. 5,136,646, the receipt iscertified by concatenating and hashing the receipt with the currentrecord catenate certificate which itself is a number obtained bysequential hashing of each prior receipt with the extent catenatecertificate.

Various cryptographic schemes are known in the prior art for encryptingand for authenticating digital data and/or its author. For exampleSymmetric algorithms such as DES [1.01] and IDEA [1.02], one-way hashfunctions [1.03] such as MD5 [1.04], Public-Key (asymmetric) algorithms[1.05] such as RSA [1.06], and verifiable digital signatures generationalgorithms [1.12] such as DSA [1.07] or RSA, as well as combinationsthereof such as PGP [1.08] and MACs [1.13], are currently widely usedfor security and for authentication purposes [1.09]. An excellentpublication relating to encryption, authentication, public-keycryptography and to cryptography and data security in general, as wellas applications thereof and additional references to multiple sourcescan be found in [1]. Further prior art, in particular referring tointegrity of stored data, can be found in D. W. Davies & W. L. Price“Security for computer networks”, 1989, John Wiley & Sons, Chichester(UK).

Proof of delivery of non-electronic documents is provided, for example,by Registered Mail and courier services. It is commonly used toauthenticate the delivery of materials at a certain time to a certainparty, and serves as admissible proof of delivery in a court of law.However, no proof is provided as to the information contents of thespecific dispatch.

E-mail and other electronic messages forwarding services are commonlyused today. The sender sends a message to the dispatching service which,in turn, forwards the message to the destination and provides the senderwith a delivery report which typically includes the date and time of thedispatch, the recipient's address, the transmission completion status,and sometimes even the transmitted data, the number of pages delivered,the recipient's identification information, and so on. The provideddelivery report mainly serves for accounting purposes and for notifyingthe sender of the dispatch and/or its contents. Moreover, frequently norecord of the specific dispatched data is maintained with the serviceafter the delivery is completed or provided to the sender.

SUMMARY OF THE PRESENT INVENTION

The literature does not provide a comprehensive solution that directlyaddresses the problem in question: what information has been sent towhom and when. Accordingly, there is a need for a method and system toprovide the sender with a convenient means for authenticating both thedispatch and the contents of documents, electronic information and otherinformation during the normal flow of daily activities.

It is therefore an object of the present invention to improve thecapacity of conventional systems and methods for dispatching documentsand transmitting information to provide the sender with evidence he canuse to prove both the dispatch and its contents.

The present invention discloses an apparatus according to claim 1 forauthenticating that certain information has been sent by a sender via adispatcher to a recipient, the apparatus comprising:

means for providing a set A comprising a plurality of informationelements a1, . . . ,an, said information element a1 comprising thecontents of said dispatched information, and said one or moreinformation elements a2, . . . ,an containing dispatch-relatedinformation and comprise at least the following elements:

a2—a time indication associated with said dispatch; and

a3—information describing the destination of said dispatch,

and wherein at least one of said information elements is provided in amanner that is resistant or indicative of tamper attempts by saidsender;

means for associating said dispatch-related information with saidelement a1 by generating authentication-information, in particularcomprising a representation of at least said elements a1, a2 and a3,said representation comprising a set of one or more elements, eachcomprising a representation of one or more elements of said set A; and

means for securing at least part of said authentication-informationagainst undetected tamper attempts of at least said sender.

Thus, the present invention provides a sender with the capability toprove both the dispatch and the contents of the dispatched materials.The dispatched materials can be paper documents, electronic informationor other information which can be dispatched electronically bytransmission or non-electronically, such as by courier or registeredmail service, to an address of a recipient.

According to the present invention, dispatch related information isassociated with the contents of the dispatch, in a relatively secure, orreliable manner. This associated information can be provided for exampleto the sender, and may serve as evidence of both the dispatch and itscontents, for example, in a court of law, and therefore it iscollectively referred to herein as the “authentication-information” or“evidence”.

Additionally, the present invention discloses a method according toclaim 27, wherein in essence, a set A comprising a plurality ofinformation elements a1, . . . , an is provided, said informationelement al comprising the contents of the dispatched information, andsaid one or more information elements a2, . . . , an containingdispatch-related information and comprise at least the followingelements:

a2—a time indication associated with said dispatch; and

a3—information describing the destination of said dispatch,

and wherein at least one of said information elements is provided in amanner that is resistant or indicative of tamper attempts by saidsender.

Said dispatch-related information is associated with said element a1 bygenerating authentication-information, in particular comprising arepresentation of at least said elements a1, a2 and a3, saidrepresentation comprising a set of one or more elements, each comprisinga representation of one or more elements of said set A, and at leastpart of said authentication-information is secured against undetectedtamper attempts of at least said sender.

It is appreciated that in accordance with the present invention, therepresentation can comprise any number of any combination in any formof: the elements themselves, identical or equivalent elements such ascopies thereof or information describing or identifying these elements,information expressive as a mathematical function of one or more ofthese elements and so forth. Each combination may be maintained jointlyor separately as desired. The representation has a recursivecharacteristic, i.e., it can comprise a representation of one or more ofthe above.

The present invention encompasses all types of information beingdispatched, such as that found on paper documents or within electronicdocuments and other electronic data, and all types of dispatch methods,such as transmission via facsimile machines, modems, computer networks,electronic mail systems and so forth, or manually such as via registeredmail or courier services.

The term “the contents of the dispatch” herein refers to any informationelement having information content the substance of which is equivalentto that of the information being dispatched. This includes for examplethe information source, either in paper document or electronic form, theactual dispatched information, any copies thereof, any descriptiveinformation or portion of the information contents identifying thedispatched information, and so forth regardless of the representation orform.

The present invention also encompasses all types of methods andapparatuses which provide and/or associate the dispatch information withthe contents in a relatively secure or reliable manner. The terms“relatively secure” and “reliable” herein mean “reasonably tamper-proof”or “tamper-detectable”, i.e., that it is assured that the authenticinformation elements are provided and associated in a reliable manner,for example by a non-interested third party or by a device or by acombination of both, and furthermore, that the associatedauthentication-information is secured against fraudulent actions such asdisassociation, modification, replacement etc., attempted by aninterested party such as the sending or receiving party, at least to theextent that such actions are detectable.

The dispatch information can be any information describing at least thetime and destination of the dispatch and preferably the dispatchcompletion status. Other information relating to the dispatch, such asthe identity of the sender and/or the recipient, handshake information,the actual elapsed dispatch time, the number of pages dispatched and soforth, the identification of the authenticator, for example its name,logo, stamp, etc., can also be provided.

Finally, the authentication-information can be secured or stored in asecure location or device, in its entirety or in part, together orseparately, as desired.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will be understood and appreciated more fully fromthe following detailed description taken in conjunction with thedrawings in which:

FIG. 1 is a schematic pictorial illustration of the authenticationmethod of the present invention implemented in a manual manner;

FIG. 2 is a schematic illustration of an authenticator, constructed andoperative in accordance with a preferred embodiment of the presentinvention;

FIG. 3 is a schematic illustration of an alternative authenticator,constructed and operative in accordance with another preferredembodiment of the present invention;

FIG. 4 is a schematic illustration of an alternative authenticator,constructed and operative in accordance with additional preferredembodiment of the present invention

FIGS. 5 and 6 are schematic illustrations of verification mechanismsconstructed and operative in accordance with the authenticator of FIG.4;

FIG. 7 is a schematic illustration of an alternative authenticator,constructed and operative in accordance with yet another preferredembodiment of the present invention.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

Reference is now made to FIG. 1 which illustrates the method of thepresent invention as it can be implemented for paper documents beingsent non-electronically. The method of FIG. 1 can be implemented fordocuments sent via any document dispatching service, such as a courierservice or the registered mail service of the post office.

The sender 10 provides the documents 12 to be sent and a destinationaddress 14 to a clerk 20 of the document dispatching service. The clerk20 prepares a dispatch sheet 26, which typically has a unique dispatchidentifier (not shown) and has room for dispatch information such as thedate and time of dispatch or delivery 16, the destination address 14, anindication 18 of proof of delivery such as the recipient's identityand/or signature, and optionally, additional dispatch information suchas the dispatcher's signature and the identity of the sender 10, etc.

The clerk 20 fills in the dispatch sheet 26 with the date/time 16 andthe address 14, and then prepares a copy 24 of the documents 12 and acopy 34 of the dispatch sheet 26, typically by utilizing a copy machine22 or an electronic scanner. The clerk 20 then places the originaldocuments 12 into an envelope 28 carrying the address 14, and sends theenvelope 28 to its destination 30. In one embodiment of the presentinvention the dispatching service utilizes a cash-register like deviceto fill in the dispatch sheet 26. This provides for reliable timestamping and automated dispatch record keeping. Furthermore, theelectronic dispatch information produced by such device can beassociated using a special mathematical method as discussed in greaterdetail hereinbelow.

The clerk 20 associates the copy 24 of the documents 12 with the copy 34of the dispatch sheet 26 by any method, a few examples of which follow:

a) by inserting the documents copy 24 and the dispatch sheet copy 34into an envelope 32;

b) by inserting the copy 24 of the documents into an envelope 32 andmarking the dispatch identifier on the outside of the envelope 32;

c) by printing the dispatch identifier on the documents copy 24; or

d) attaching the copies 24 and 34 and applying the stamp of the dispatchservice in such a manner that part of the stamp is on the copy 24 of thedocuments and part of the stamp is on the copy 34 of the dispatch sheet26.

Preferably, the clerk 20 secures the copies 24 and 34 in a manner thatmakes it difficult to modify or replace the information containedtherein, for example by marking the pages of the copy 24 with thedispatching service's signature, stamp or seal, by spreading each pagewith invisible or other ink, by sealing the envelope 32 or by retainingthem in the service's secure file 36 and so forth.

In one embodiment of the present invention, the associated copies 24 and34 are provided to the sender at this stage (where the dispatch sheet 26is retained with the service to ascertain delivery and to fill in theproof of delivery indication 18) or after the delivery is completed. Inanother embodiment, the dispatch service retains, in a secure location36, one or both of the copies 24 and 34.

The clerk 20 can also identify the authenticating party, for example viahis signature, or by having the dispatch sheet copy 34 printed on thestationary of the dispatching service, by stamping the documents and/ordispatch sheet copies with the service's stamp, logo or seal, etc.

When it is desired to authenticate the dispatch of the originaldocuments (and possibly also their receipt at the destination 30),either the sender or the document dispatching service provides theassociated authentication-information, for example the envelope 32,unopened, to the party which required the authentication. When theenvelope 32 is opened, it has associated therewith copies of both thedispatched documents and the dispatch information. The envelope 32therefore, provides a reliable proof that the original documents 12 weredispatched on the date and to the destination listed on or in envelope32.

It will be appreciated that, since a non-interested third party who isneither the sender nor the receiver copied the original documents 12being sent, it is unlikely that the copies stored in the envelope 32 areother than copies of the original documents 12.

Various modifications can be made to the embodiment providedhereinabove. For example, the document copy could be sent to thedestination while the original could be authenticated. Theauthentication-information could be provided by the service, directly tothe court of law. The document copy could be produced by a scanner or acamera and stored in an electronic or other storage device such as adisk or on microfilm, while a copy thereof is provided to the sender.The original dispatch sheet could be first filled out and then providedto the sender instead of using a copy. Moreover, the original documentscould be scanned by the sender in the service's premises into a securedisk and one printed copy thereof could be sent by the service to thedestination while another copy could be authenticated and provided tothe sender. Alternatively, the documents could be provided to theservice via transmission (e.g., by facsimile machine) rather thanmanually. In the case of a courier, the courier could produce the copyhimself using a photocopier at the sender's premises, and so forth.

Reference is now made to FIG. 2 which illustrates an authenticator 70,constructed and operative in accordance with a preferred embodiment ofthe present invention, which can be part of a system for transmittinginformation, whether by facsimile machine, modem, computer, network orE-Mail stations, and any combinations thereof, or by other electronicmeans.

FIG. 2 illustrates a data communication system comprising a sendingtransceiver 42, a communication line 45, coupled to the sendingtransceiver 42, a communication network 44 and a receiving transceiver46. Authenticator 70 of the present invention communicates at least withthe sending transceiver 42, and can form part of the sending transceiver42 or can be separated therefrom.

The sender provides original materials 40 for transmission, which can bepaper documents or electronic information such as computer disk, memoryand other electronic information including audio/video, text andgraphics files or pictures. The sender also provides the destinationaddress 52 which represents the address of the receiving transceiver 46on communication network 44. The address 52 may for example be a dialnumber, a network user code and so forth. The sending transceiver 42needs to transmit the information contents of the materials 40 to thereceiving transceiver 46. To provide authentication, the transmission inFIG. 2 is performed through the authenticator 70 in a “store & forward”manner.

The authenticator 70 comprises input means 72 for receiving thetransmitted information 60 and the destination address 62 from thecommunication line 45. The input means 72 may for example comprise aline interface, a Dual-Tone Multi Frequency (DTMF) decoder for receivinga destination address 62 such as a dial number, and a transceiversimilar to that of the sending transceiver 42 which can receive theinformation 60.

The authenticator 70 also comprises an optional storage unit 54 such asa tape, disk or memory device and so forth for storing the information60 and related dispatch information, an internal clock 50 for generatinga time indication 66 of the transmission, a transceiver 76 fortransmitting the information 60 to address 62 (the transceiver 76 can beused by the input unit 72 as well, for example by using a relaymechanism), a controller 56, a user interface 48, and an output unit 58for providing the authentication-information, for example to the sender.

The information 60 is then transmitted over the communication network 44to the receiving transceiver 46 by the transceiver 76 using the address62.

The internal clock 50 provides an indication 66 of the current time, andis utilized to provide a time indication for the transmission. Internalclock 50 is securable (to ensure the veracity of the produced timeindication 66), and preferably provides time indications according to anon-changing time standard, such as Greenwich-Mean-Time (G.M.T.) or UTC.Alternatively, the time indication 66 can be externally obtained, forexample from a communication network server, as long as the source issecured from being set or modified by an interested party such as thesender. The security of the time indication can be provided in a numberof ways, such as by factory pre-setting the clock 50 and disabling orpassword securing the Set Date/Time function of the internal clock 50.Alternatively, the clock 50 can maintain a “true offset” with the truepreset date/time, that reflects the offset of the user set date/timefrom the genuine preset one.

The transmission completion indication 64 provides information regardingthe success of the transmission. It is typically obtained from thecommunication protocol used by the transceiver 76. It may be for examplein the form of an electronic signal provided by the transceiver 76 whichis used to determine the validity of the rest ofauthentication-information, or in a form similar to that provided intransmission reports such as “TRANSMISSION OK” or “ERROR”. In oneembodiment of the present invention, the fact that the rest ofauthentication-information elements are provided, indicates that anaffirmative completion indication has been provided.

The storage unit 54 is used for storing the information 60 and/or thedispatch information, including the address 62, the time indication 66,and optionally the transmission completion indication 64. Typically, thestorage unit 54 is relatively secure, such that theauthentication-information contained therein is assumed unchangeable.For example it may be a Write-Once-Read-Many (WORM) device such as anoptical disk or a Programmable Read-Only Memory (PROM) device, it may beenclosed within a securable device, or it may be provided with read-onlyaccess privilege. Alternatively, the authentication-information isstored in a secure manner, for example using a compression, private orpublic key encryption or scrambling technique, a password, or acombination thereof, such as those employed by the widely used RSAencryption method, and by the PKZIP(tm) program from PKWARE Inc.,Glendale Wis., U.S.A., and where the “securing” procedure, key orpassword are unknown to any interested party.

The controller 56 associates the information 60 and the dispatchinformation, by storing them in storage unit 54 and by associating linkinformation with the stored authentication-information, for example inthe form of a unique dispatch identifier such as a sequential dispatchnumber.

To provide the authentication-information for the transmission, thedispatch identifier is provided to the controller 56 through the userinterface 48. The controller 56, in turn, retrieves the various storedauthentication-information elements from storage unit 54. If the storedinformation is also secured (i.e., by compression, password, etc.), thecontroller 56 “unsecures” them, and then provides them to the outputunit 58.

The output unit 58 provides the authentication-information to an outputdevice (not shown). The authenticator 70 may include an output device ormay communicate with some external unit. The output device can be, forexample, a printing unit, a display unit, a storage unit such as acomputer disk, the printing apparatus of the sending transceiver 42 andso forth.

The information 60 and the dispatch information, can be associated witheach other in any suitable manner. For example, if the materials 40provided for transmission are paper documents, one embodiment of theauthenticator 70 authenticates the original documents by printing thedispatch information on them. In another embodiment, they can be storedin storage unit 54 together (e.g., sequentially or combined into asingle file), or separately using a link information element (e.g.,using a dispatch identifier). If the output is a printout, output unit58 typically formats the printout to indicate the dispatch informationon at least one, and preferably on all, of the pages containing theprintout. Alternatively, a link information element, such as a dispatchidentifier, can be printed on each printed page of the information 60,and separately on a dispatch page containing the dispatch information.Another method includes printing both the information 60 and thedispatch information together on contiguous paper, optionally betweenstarting and ending messages, and so forth. An alternative specialmathematical association method is discussed hereinbelow.

Typically, the authenticator 70 is relatively secure, such that thevarious devices and the authentication-information elements enclosedtherein can be assumed to be unchangeable. For example, theauthenticator 70 can be enclosed within a password protected sealedelectronic box which, if opened without authorization, may disable thenormal operation of the authenticator 70, or may clearly indicate thatit has been tampered with.

As mentioned hereinabove, the authenticator 70 can form part of thesending transceiver 42. FIG. 3 illustrates such an embodiment, which issimilar to that of FIG. 2 and similar functional elements have similarreference numerals.

In FIG. 3, the input unit 72 of the sending transceiver 42 comprisesmeans, for example a serial, parallel or disk interface, for inputtingthe information 60 and the destination address 62 from any component ofthe sending transceiver 42, for example from its input devices. Thesending transceiver 42 replaces the transceiver 76 of FIG. 2. Thestorage unit 54 however is optional, as the information 60 and therelated dispatch information could be provided to the output unit 58“on-the-fly” in a manner similar to that used by the “copy” function ofdocument facsimile machines.

Generally, in various embodiments of the authenticator 70, theinformation 60 can be obtained from any source and by any means,including a computer, a disk drive, a scanner or any other component ofthe sending transceiver 42, a communication line, a communicationnetwork and any combinations thereof, and so forth.

It is appreciated that in accordance with the present invention, thevarious information elements can be provided, generated, associated orsecured either by single, combined or separate means of theauthenticator 70.

Furthermore, any information element having information content thesubstance of which is equivalent to that of the transmitted informationcan serve for authentication purposes, regardless of its form,representation, format or resolution, whether it is a paper document orelectronic information, whether digital or analog, whether in form ofdots and lines or alphanumeric, binary, hexadecimal and othercharacters, or whether it is encrypted, compressed or representedotherwise, and so forth. The element may contain additional informationwhich does not change the substance and its content, such as a logo, aheader message, etc. Furthermore, it may contain control, handshake andeven noise data. Alternatively, an information descriptor such as a formnumber or name can be provided, and/or any other information contentsuch as the form's filled-in data, which identifies the dispatchedinformation.

Optionally, additional dispatch information may be provided to, orgenerated by authenticator 70, such as the number of pages transmitted,page numbers, the sender's identification, the sending transceiver's 42identification, the receiving transceiver's 46 identification, thetransmission elapsed time, a transmission identifier, integrityinformation such as a cyclic redundancy code (CRC), a checksum or thelength of the transmitted information, an authenticator identificationindication such as a serial number, a verification from thecommunication network 44 that the transmission has actually taken placeat the specified time from the sender to the recipient's address, aheading message, a trailing message and so forth.

Typically, when the authenticator 70 comprises a reasonably securestorage unit 54, the stored information is retained therein and copiesthereof are provided to the output unit 58. Preferably, the providedoutput or any part thereof is reasonably secured, so as to prevent anyfraudulent action. For example, if the output is a printout, it can besecured by spreading invisible or other ink on it, or by using specialink, special print fonts or special paper to print theauthentication-information, or in any other suitable manner. Anothermethod includes securing the dispatch information using, for example, anencryption technique, and printing the encrypted information on theprintout. At a later stage the encrypted information can be decrypted toprovide the true dispatch information, and so forth. Likewise,mathematical association method as discussed hereinbelow can also beused.

It will be appreciated that the following embodiments fall within thescope of the present invention:

The authenticator of the present invention can operate for information,such as a document produced by a word processor, transmitted through acomputer. In this embodiment, the computer may include the secure timegenerator (which may for example be externally plugged into the parallelport). The authenticator obtains the dispatch information from thetransceiver, and the document is provided from the hard disk or wordprocessing program. The authenticator encrypts the document and thedispatch information together and stores them in a file. Whenauthentication is required, the authenticator retrieves the stored file,decrypts it and provides the document and the dispatch informationassociated therewith to a printer.

Similarly, information transmitted in a computer network or electronicmail system can be authenticated, for example, by having a file serveror mail manager (whose time generator is considered secure) store thetransmitted information together with its associated dispatchinformation in a secure manner. One embodiment of secure storage is thatwhich has read-only privileges. Alternatively, such read-only effect canalso be obtained by having the authentication-information encrypted withthe authenticator's private key: everybody can decrypt it using theauthenticator's public key, but no interested party can change itwithout such action being detectable.

The present invention can be operated in conjunction with a messagetransmission forwarding service such as that provided by Graphnet Inc.of Teaneck, N.J., USA. The service obtains the information and addressfrom the sender, typically by an electronic transmission, occasionallyconverts it (for example from ASCII text or word processor format into atransmissible document format) and forwards it to the requested address.The forwarding service serves as the authenticator and may for exampleprovide the dispatch information associated with the transmittedinformation to the sender in a secure manner, such as in a sealedenvelope or in encrypted form.

An efficient method for associating a plurality of information elementsis by associating a digital representation thereof using a methodreferred to herein as “mathematical association”. A digitalrepresentation of an information element can be considered as a number,for example as the element's standard binary, hexadecimal or other baserepresentation. Using mathematical association, rather than maintainingthe information elements (numbers) themselves, it is sufficient tomaintain the results (also numbers) of one or more functions which areapplied to one or more of these information elements. (These results aresometimes referred to as “message-digests”, “hash-values” or“digital-signatures”). More formally, if A is a set of informationelements, and F is the mathematical association function, then the set Bof information elements is obtained as the result of applying thefunction F to the set A of information elements, i.e. B=F(A).

Preferably, the function F is selected such that a fraudulent attempt tochange the elements of the set A, or an attempt to claim that a set A′which comprises different elements is the original set, can be readilydetected by comparing the result B′ obtained by applying the function Fto the set A′, to the original result B, i.e., by chekking ifF(A′)=F(A).

It would be advantageous to select the function according to acryptographic schemes. Encryption and digital envelope functions canprovide for secure data interchange. Digital signatures can provide foraccurate and reliable verification of both the signature generator andthe data. one-way hash functions provides for security, and can reducethe size of the generated signatures while still enable verification ofthe original data used to generate these signatures. Utilizingcombinations of cryptographic schemes can optimize particularimplementations.

Various function classes of various degrees of complexity can be usedfor mathematical association purposes in accordance with variousembodiments of the present invention. Furthermore, the function F and/orthe result B can be kept secret and unknown in general, and tointerested parties such as the sender or the recipient in particular.However, even if the function F and/or the result B are known, the taskof finding a meaningful different set A′ such that B=F(A′) is mostlyvery difficult even for relatively simple functions, not to mention formore complex ones.

A special class of functions most suitable for the purposes of thepresent invention is the class of functions having the property thatgiven the result B=F(A), it is exceptionally difficult to find a secondset A′ such that applying the function F to the second set A′ will yieldthe same result B. The term “exceptionally difficult” refers herein tothe fact that although many different such sets A′ may exist, it is sodifficult to find even one of them (sometimes even to find the set Aitself) that it is practically infeasible. In fact, the functions ofthis class “hide” the elements they are applied to, (and sometimes theelements even cannot be reconstructed) and therefore this class isreferred to herein as “the Hiding Class”.

There are many advantages to using mathematical association in general,and functions of the Hiding Class in particular:

(a) It is efficient, for example for saving storage space andtransmission bandwidth, to maintain a function result, the size of whichis normally very small as compared to the original information elementsthemselves which can be arbitrarily large.

(b) It provides security, since the result is cryptic and there is noneed to secure the information elements themselves. Furthermore, it isdifficult, and sometimes infeasible to reconstruct the originalelements.

(c) It provides a clear indication as to the authenticity of theelements of the set A used by the function to generate the result B. Atany later time, the result B′ obtained by applying the function F to apurported set A′ can be compared to the original result B, and a matchindicates beyond any reasonable doubt that set A′ is same as theoriginal set A. Moreover, integrity information such as the length ofthe information elements of the set A can be added and used as part ofthe set A, or the results of a plurality of functions can be maintainedsuch that to make the task of finding such a different set A′infeasible.

(d) The result B′ provided for comparison must be equal to the originalresult B, since any change to A will yield a different result B′ withvery high probability, and even if by chance a different set A′ is foundfor which F(A′)=B, the chance that it will be meaningful or will havethe same length is practically zero.

(e) The function can be selected such that it is relatively easy andfast to compute the function result.

Few well known and widely used functions of the Hiding class areencryption functions (e.g., the RSA [1.06] or the DES [1.01] algorithms)and Cyclic-Redundancy-Check [3] (C.R.C.) functions (e.g., the C.R.C-32function). While C.R.C functions are generally used in applicationsrequiring verification as to the integrity of an arbitrarily long blockof data, encryption is used to maintain the original data elements,though in different, cryptic representation. Encryption functionsconvert the information elements into one or more cryptic data blocksusing one key, while enabling their reconstruction by providing amatching (same or different) key. Other well known members of this classof functions in the prior art are compression functions (e.g., theLempel-Ziv 1977 [5] and 1978 algorithms), one-way hash functions [1.03](e.g., the MD4 [4], and MD5 [1.04] algorithms), and MACs [1.13].

Since for authentication purposes there is no need to maintain theoriginal information elements, the use of encryption functions (whichnormally maintain the information though in a cryptic representation)may be inefficient. One-way hash functions (and other functions of theHiding Class), on the other hand, maintain a small sized result value,but the information elements from which the result has been produced aresecured, i.e., cannot be reconstructed therefrom. It would be moreadvantageous, for example, to apply a one-way hash function to the unionof all the information elements, i.e., to a bit-string, where theleftmost bit is the leftmost bit of the first element, and the rightmostbit is the rightmost bit of the last element. This produces a crypticand secure result, as described hereinabove. Furthermore, one-way hashfunctions can be computed relatively quickly and easily.

Generally and more formally, the result B is a set of one or moreinformation elements b1, . . . , bm, where each element bi (which itselfcan comprise one or more information elements) is the result of applyinga (possibly different) function Fi to a subset Si of a set A whichcomprises one or more information elements a1, . . . , an, where thevarious subsets Si are not necessarily disjoint or different, eachsubset Si includes at least a portion of one or more (or even all) ofthe electronic information elements of the set A, and where eachfunction Fi can comprise one or more functions (i.e., Fi can be thecomposition of functions). Preferably, the functions Fi are members ofthe Hiding Class. The elements of such a subset Si are considered to bemathematically associated.

Assuming that the set A comprises five information elements a1, a2, a3,a4, a5, a few examples of mathematical association function Fi and theirresult set B follow: (the UNION function is denoted as U(x1, . . . ,xk), which is an information element comprising a bit-string, where theleftmost bit is the leftmost bit of the element x1, and the rightmostbit is the rightmost bit of the element xk.)

(a) single element result set B

b1=F1(S1)=F1(a1,a4,a5)=a1/(a4+a5+1)

b1=F1(S1)=F1(a1,a3,a4)=ENCRYPT(U(a1,a3,a4))

b1=F1(S1)=F1(a1,a2,a3,a4,a5)=MD5(U(a1,a2,a3,a4,a5))*C.R.C(a3)mod5933333

b1=F1(S1)=F1(a1,a2,a3,a4,a5)=C.R.C(ENCRYPT(U(a1,a2)),COMPRESS(U(a2,a3,a4)),a1,a5)

b1=F1(S1)=F1(a1,a2,a3,a4,a5)=U(a1,a2,a3,a4,a5)modp(where p is a largePrime number)

b1=F1(S1)=F1(a1,a2,a3,a4,a5)=ENCRYPT(MD5(U(a1,a2,a3,a4,a5)))

(b) multi-element result set B

B=[C.R.C(U(a1,a3)),a2/(a1+1),ENCRYPT(a5)]

b1=F1(S1)=F1(a1,a3)=C.R.C(a1,a3)

b2=F2(S2)=F2(a1,a2)=a2/(a1+1)

b3=F3(S3)=F3(a5)=ENCRYPT(a5)

The elements of two or more (not necessarily disjoint) subsets of set Acan be associated with each other by associating the elements of theresult set B which correspond to these subsets, either mathematically,or by non-mathematical methods, as described hereinabove. Furthermore,if there is a subset of elements of set A to which no function has beenapplied, these elements may be associated with the elements of theresult set B, again either mathematically or by non-mathematicalmethods.

Moreover, the elements of two or more subsets of the set A can beassociated with each other by associating the elements of each of thesesubsets with a common subset comprising one or more elements of the setA, where this common subset uniquely relates to the specific dispatch.This type of association is referred to herein as “indirectassociation”, and the elements of this common subset are referred toherein as “link elements”. A link element can be for example a uniquedispatch number, or the subset comprising the time indication and amachine serial number, etc.

For example, assuming that the element a2 of the above set A uniquelyrelates to the dispatch, the following function generates amulti-element result set B:

B=[b1,b2,b3]=[ENCRYPT(a1,a2), COMPRESS(a2,a3,a4), a2+a5]

where the subsets Si include the following elements: S1=[a1,a2],S2=[a2,a3,a4] and S3=[a2,a5]. The elements of each subset aremathematically associated. Since all of these subsets include the commonlink-element a2, all their elements (in this case all the elements ofthe set A) are associated with each other.

Reference is now made to FIG. 4 which is a block diagram thatillustrates an authenticator 100, constructed and operative inaccordance with a preferred embodiment of the present invention. Theauthenticator 100 comprises a secure time generator 104, a storagedevice 106 and a function executor 102 which has means for inputting thefollowing information elements: the transmitted information, thedestination address, a time indication generated by the secure timegenerator 104, and a dispatch completion indication. Optionally,additional information elements can be provided as well.

The function executor 102 can be for example a Microchip TechnologyInc.'s PIC16C5x series EPROM-based micro-controller, and the input meanscan be for example an I/O port, a serial, parallel or disk interface.The function executor 102 is capable of executing a function F on atleast one, and preferably on the union of all of the input elements, andof generating a result information element which is provided to astorage device 106, and optionally to an output device 108, such as aprinting device.

Preferably, the function F is a member of the Hiding Class, and is keptunknown at least to any interested party, by the function executor 102.This can be achieved for example by enabling the code protection featureof the PIC16C5x series microcontroller. Alternatively, a MAC [1.13] suchas a one-way hash function MAC can be used where secret codes, keys anddata relating to the function can be for example stored in a shieldedmemory device which is automatically erased if the authenticator 100 istampered with. Also, preferably the storage device 106 is a WORM device,such as a PROM. Preferably, a different function is used for each deviceemploying the function F. This can be achieved for example by usingdifferent keys or codes with each function.

In accordance with one embodiment of the present invention, theauthenticator further comprises a verification mechanism for verifyingthe authenticity of a set of information elements purported to beidentical to the original set of information elements. It is howeverappreciated that the verification mechanism can be separated therefrom.

Reference is now made to FIG. 5 which is a block diagram thatillustrates a verification mechanism 120, constructed and operative inaccordance with a preferred embodiment of the present invention, whereat least part of the information elements were mathematically associatedby the authenticator 100 of FIG. 4.

The verification mechanism 120 includes a function executor 122 forgenerating a new result information element according to the samefunction employed by the function executor 102 of FIG. 4. The functionexecutor 122 has means for inputting information elements correspondingto the original information elements input to the function executor 102of FIG. 4., and which are purported to be identical to those originalelements.

The verification mechanism 120 also comprises a comparator 124, whichhas input means for inputting the newly generated result informationelement and the original result information element which may beobtained from the storage device 106 of FIG. 4, or manually, for examplethrough a keyboard. The comparator 124 then compares the two providedresult information elements to determine if they are the same, and thecomparison result can be output for example to a display or printingunit. A match indicates that the purported information elements areauthentic.

Reference is now made to FIG. 6 which is a block diagram thatillustrates a verification mechanism 140, constructed and operative inaccordance with a preferred embodiment of the present invention, wherethe information elements were associated non-mathematically, and are forexample stored in storage unit 54 by the authenticator 70 of FIG. 2.

The verification mechanism 140 comprises a comparator 144, which hasinput means for inputting at least one of the stored associatedinformation elements from the storage unit 54 of FIG. 2. The comparator124 also has input means for inputting the corresponding informationelements purported to be identical to the stored elements. Thecomparator 124 then compares the corresponding information elements todetermine if they are the same, and the comparison result can be outputfor example to a display or printing unit. A match of all the comparedelements indicates that the purported information elements areauthentic.

It is appreciated that various embodiments of the present invention caninclude a combination of the verification mechanisms describedhereinabove.

Also, part of the securing methods which were described for FIG. 2include for example encryption and compression methods which formallyrelate to mathematical association functions such as ENCRYPT(a1, . . . ,aj) and COMPRESS(a1, . . . , aj). Occasionally, there is a need forreconstructing some or all of the secured mathematically associatedinformation elements, for example for providing them to an output unitor to the comparator of the verification mechanism. Since somecompression and encryption functions (as some other functions) arereversible, they are typically used when reconstruction of the elementsis needed. (A function G is considered reversible if there exists afunction H such that H(G(x))=x, and the function H is called the inversefunction of G).

As discussed hereinabove, a mathematical association function cangenerally comprise a single function, or the composition of two or morefunctions. For example, the function ENCRYPT(a1, . . . , aj) comprises asingle function ENCRYPT, which is reversible, and its inverse functionis DECRYPT. Another function COMPRESS (ENCRYPT(a1),C.R.C(a2, . . . ,aj)) is the composition of three functions—COMPRESS, ENCRYPT and C.R.C,where the first two are reversible and their inverse function areDECOMPRESS (which yields the set comprising ENCRYPT(a1) and C.R.C(a2, .. . , aj)), and DECRYPT (which yields the element a1) respectively. TheC.R.C function however, is not reversible.

Formally, if a function Fi comprises one or more functions, some ofwhich are reversible, a set C comprising one or more informationelements c1, . . . , ck can be generated, where this set C is expressiveas a function I applied to the result information element bi of thefunction Fi, where this function I comprises the inverse function of oneor more of these reversible functions.

While the authentication methods described hereinabove refer mostly tosymmetric digital signatures, a preferred authentication method may beobtained using public-key digital signatures. A major advantage ofpublic-key digital signatures over symmetric digital signatures is thatthey enable any third party (such as a judge), to verify theauthenticity of both the data and the signer (where by using symmetricdigital signatures, only a designated authenticator such as a securedevice or a trusted third party, which have knowledge of the function,secret keys/codes etc., can perform the verification). The data isguaranteed not to be tampered with, and furthermore, once the data issigned, the signer is actually “committed” to it and cannot laterrepudiate his commitment to the digitally signed data, for only thesigner which has sole knowledge of his private key could have createdthe signature, thus allowing such data to be legally binding.

Typically, public-key digital signatures generation and dataauthentication in performed in the following manner: a computationinvolving the signer's private key and the data, which can comprisevarious elements such as the dispatched message, the time indication,the destination address, and so forth is performed; the output is thedigital signature, and may be attached to the data or separatedtherefrom. In later attempt of verification of the data, somecomputation involving the purported data, the signature, and signer'spublic key is performed. If the results properly hold in simplemathematical relation, the data is verified as genuine; otherwise, itmay be forged or may have been altered or otherwise tampered with.

Since the signing process using the whole (plain) data is generally timeconsuming and the signature consumes a considerable amount of storagespace, typically a relatively unique representation (also called a“fingerprint” or the “message digest”) of the data is first generatedusing a process in which the data is “condensed” or “hashed”, forexample by means of a one-way hash function into a relative small value,thereby fixing its contents, and the signing process is performed on thefingerprint, resulting in an equivalent effective authentication.Therefore, the term digital signature herein refers to the digitalsignature of either the plain data element(s) or of any representation(function) thereof.

As described hereinabove, the fingerprint of a series of data elementscan be generated thereby fixing their contents and associating them witheach other. Since public-key digital signatures belong to the “HidingClass”, and since they further own the property that they can begenerated with one key (such as the private key), and provide for laternon-repudiable verification using another matching key (such as thepublic key), the usage of such functions for the purposes of the presentinvention is therefore of great advantage.

Reference is now made to FIG. 7 which is a block diagram thatillustrates an E-Mail system 700, and a message dispatch andauthentication service 750, constructed and operative in accordance witha preferred embodiment of the present invention. The sender 701 providesthe E-Mail message 702 and the recipient's 799 E-Mail address 704 to themessage dispatch and authentication service 750. Without limiting thegenerality, although reference is made to E-Mail dispatching servicesand systems in general, it is appreciated that implementations relatingto the embodiments described herein can be easily extended, modified,ported or derived therefrom to other electronic data dispatch systems.

The dispatched message 702 may comprise any digital data such as text,pictorial, graphic, audio and video data, any number of files etc., inany form or representation e.g., compressed, encrypted, plaintext etc.Preferably, the message 702 includes the sender's 701 digital signature,which the sender can generate by means of his private key, in order toestablish the sender's “commitment” to the message 702, and to providefor verification of the message and sender as the message originator,any third party using the sender's public key.

Digital signatures can be generated in system 700 for example by meansof a verifiable public-key algorithm such as RSA or DSA. Fingerprintscan be generated for example by means of a one-way hash function such asMD4 or MD5.

The service 750 forwards the message 701 to the recipient 799 using theaddress 704. The service 750, preferably after assuring that the messagehas been successfully delivered, adds (e.g., appends) a dispatch timeindication 720 to the message 702 and the address 704, as well asinformation 708 indicating the success (or failure) of the messagedelivery. Obviously, additional dispatch information elements, such as asequential dispatch number, the sender, recipient and the serviceidentification information and so forth may be added as well.

The service 750 then associates the above data elements for example bygenerating their fingerprint, which is then signed using the service'sprivate key 752, to produce the service's signature 742. signing thefingerprint can reduce the resulting signature 742 computation time,transmission bandwidth and storage space. The service then provides backto the sender 701 a service's generated certificate 740 comprising theservice's signature 742 and optionally various dispatch informationelements from which it has been generated (there is no need to providethe message 702 and address 704 since they are already with the sender701), thus the certificate 740 is typically tiny.

Thus, for example, using RSA to generate the signature, if M is thedispatched message 702, A is the address 704, T is the time indication720, I is the delivery information 708, and Ka is the authenticationservice's RSA private key, then the following is a sample calculation ofS—the signature 742:

S=RSA(MD5(U(T,I,M,A)),Ka)

The certificate 740, which comprises the service's digital signature forthe dispatch transaction, constitutes an non-repudiable evidencewitnessed by the service for the dispatch and its contents, since thedispatched message contents is securely associated with the dispatchinformation (by means of the service's generated signature and/orfingerprint), and since the signature, the message and the dispatchinformation can at any later time be authenticated and verified by anythird party both for integrity and originality by means of the service'spublic key (and if the message has also been signed by the sender, itcan further be verified in the same manner using the sender's publickey).

Thus, for example if PBKa is the service's public key, then by providingthe above signature S—the purported message M′, time indication T′,address A′ and delivery information I′, can be authenticated byverifying that the following relation holds:

RSA(S,PBKa)=MD5(U(T′,I′,M′,A′))

To increase the credibility of the system, a record of the certificate740 can be kept with the service, and furthermore, a copy of thecertificate 740 can be provided for storage to one or more trustees,such as a designated authority, or law and/or public accounting firms.Alternatively, the certificate 740 may itself be signed by one or moretrustees, using their private keys.

A related embodiment can utilize a Time Stamping Service (TSS) such asthe Digital Notary System (DNS) provided by Surety Technologies Inc.[1.10], which has been proposed by Haber et al. in their U.S. patentdocuments [2]. The certificate 740 or any portion thereof (such as thesignature 742) can be sent to the DNS to be time stamped. Alternatively,an embodiment of the present invention could internally implement theDNS scheme. The DNS generates a certificate authenticating thecertificate 740. Utilizing such time stamping schemes is of greatadvantage, since the DNS generated certificates are virtuallyunforgeable, and there is no need to deposit copies of the certificateswith trustees. Since in this case the DNS time stamps the certificate740 anyway, the service 750 itself optionally need not add the timeindication 720.

Thus, for example, if C is the certificate 740 (not including the timeindication 720), which comprises A, I, N and S (as defined above), and Tis the time indication added by the DNS, then DNSC—the DNS generatedcertificate may be calculated as follows:

DNSC=DNS(C,T)

As mentioned above, the message 702 is preferably digitally signed withthe sender's 701 private key, to enable authentication of the sender'sidentity as the message originator using the sender's public key, toestablish the sender's non-repudiable commitment to the message, and toverify the message integrity.

Nevertheless, any other method can be used for identification and/orauthentication of the sender, though such methods can sometimes be morevulnerable or less effective. One embodiment for example could utilizean hardware component (preferably secured) with the sender's uniqueidentification information “burned-into”. In another embodiment theservice 750 can utilize various log-in procedures to identify andauthenticate the sender when he logs-in to obtain service. Sampleauthentication protocols and schemes are described in [1.09] and [1.11].

Likewise, the identity of the recipient's 799 of the message can beauthenticated in similar manners. This is useful for example when boththe sender and the recipient log-into the same dispatch service forE-Mail transactions. However, the message 702 is frequently delivered toanother E-Mail server (acting as the recipient's agent, where therecipient later logs-in, identifies himself and downloads his messages)rather than to the recipient himself.

In such embodiments, it might be sufficient to obtain proof of deliveryfrom the receiving server, for example in form of a server's digitallysigned certificate, which may for example comprise the server'sidentification information, a dispatch identifier, the recipient'saddress and preferably the message and so forth (or a fingerprintthereof) while assuming that the message will eventually reach therecipient. Alternatively, a later proof of the final delivery may beobtained from that receiving server. Such delivery details as describedabove may be included in the delivery information 708.

In order to avoid potential disputes, as for example in case ofcontractual E-Mail correspondence, it may be useful to back up suchcorrespondence by an agreement where the parties agree that deliveryindication provided by the recipient's agent is to be considered anacceptable proof of delivery to the recipient. Alternatively, it may beagreed that multiple (two, three or more times of) certified dispatchesof the message to be considered an acceptable proof of delivery and soforth.

In one preferred embodiment, the recipient (or its agent) may provide acounter-signature (using his private key) for the message, the sender'sdigital signature of the message, or the service's certificate or forany portions thereof. This may provide an ultimate evidence for themessage dispatch, its contents, its time and its delivery to itsdestination. Thus if Ks, Kr, Ka are the private keys of the sender, therecipient (or his agent) and the authentication service 750respectively, M is the dispatched message 702, T is the time indication720, N is a sequential dispatch number, IDs and IDr are theidentification information of the sender and recipient respectively, andA is the recipient's address 704, then the following sample calculationsof S—the signature 742 can be performed:

S=RSA(Ka,MD5(U(N,A,T,M,IDs,IDr)))  1.

S=RSA(Ka,MD5(U(T,M,M′,R)))  2.

S=RSA(Ka,MD5(U(N,T,A,M,M′,R″)))  3.

S=RSA(Ka,MD5(U(T,M′,R)))  4.

S=DNS(T,MD5(U(M′,R)))  5.

where

M′=RSA(Ks,MD5(M))

R=RSA(Kr,MD5(U(M,N)))

R′=RSA(Kr,M′)

R″=RSA(Kr,N)

Such incorporation of identification information relating to the sender701, the recipient 799 or both (either by means of their digitalsignature, or otherwise) in the certificate generated by the service750, can provide for more complete authentication of the entire dispatchtransaction, and can be used as evidence for the dispatch and itscontents by both the sender and the recipient.

BIBLIOGRAPHY AND REFERENCES

[1] “Applied Cryptography (2nd Edition)”, (Schneier Bruce, John Wiley &Sons, 1996).

[1.01] see [1] Chapter 12, pp. 265-301.

[1.02] see [1] Chapter 13 Section 13.9, pp. 319-325.

[1.03] see [1] Chapter 18 Section 18.1, pp. 429-431.

[1.04] see [1] Chapter 18 Section 18.5, pp. 436-441., see also “One-WayHash Functions,” (B. Schneier, Dr. Dobb's Journal M&T Publishing Inc.,September 1991 Vol 16 No.9 pp. 148-151), see also Internet Request ForComments (RFC) document 1321.

[1.05] see [1] Chapter 19 Section 19.1, pp. 461-462.

[1.06] see [1] Chapter 19 Section 19.3, pp. 466-474, see also “A Methodfor Obtaining Digital Signatures and Public-Key Cryptosystems” (Rivest,R. L., A. Shamir, and L. Adelman, Communications of the ACM, ACM Inc.,February 1978 Vol 21 No. 2, pp. 120-126).

[1.07] see [1] Chapter 20 Section 20.1, pp. 483-494, see also “TheDigital Signature Standard proposed by the National Institute ofStandards and Technology” (Communications of the ACM, ACM Inc., July1992 Vol 35 No. 7 pp. 36-40),

[1.08] see [1] Chapter 24 Section 24.12, pp. 584-587.

[1.09] see [1] Chapter 3 Section 3.2, pp. 52-56.

[1.10] see [1] Chapter 4 Section 4.1, pp. 75-79.

[1.11] see [1] Chapter 21, pp. 503-512.

[1.12] see [1] Chapter 2, Sections 2.6-2.7, pp. 34-44, see also [1]Chapter 20, pp. 483-502.

[1.13] see [1] Chapter 18, Section 18.4, pp. 455-459.

[2] U.S. Pat. Nos. 5,136,646, 5,136,647, and 5,373,561.

[3] “Cyclic Redundancy Checksums (Tutorial)” (Louis, B. Gregory, C UsersJournal, R & D Publications Inc., Oct 1992 v10 n10 p55 (6)), see also“File verification using C.R.C.” (Nelson, Mark R., Dr. Dobb's Journal,M&T Publishing Inc., May 1992 Vol 17 No. 5 p64(6)).

[4] “The MD4 Message Digest Algorithm” (R. L. Rivest, Crypto '90Abstracts, August 1990, pp. 301-311, Springer-Verlag).

[5] “A Universal Algorithm for Sequential Data Compression” (Ziv. J.,Lempel A., IEEE Transactions On Information Theory, Vol 23, No. 3, pp.337-343).

The references and publications described by the above-mentionedarticles are incorporated herein by reference.

While the present invention has been described with reference to a fewspecific embodiments, the description is illustrative of the inventionas defined by the claims.

What is claimed is:
 1. Apparatus for authenticating that certain information has been transmitted from a sender via a dispatcher to a recipient, the apparatus comprising: means for providing a set A comprising a plurality of information elements a1, . . . , an, where said information element a1 is originated from the sender and comprising the contents of the information being electronically transmitted to said recipient, and said one or more information elements a2, . . . , an comprising dispatch-related information and comprise at least the following elements: a2—a time indication associated with said dispatch; and a3—information describing the destination of said dispatch, and wherein at least said information element a2 is provided in a manner that is resistant to or indicative of tampering by either of said sender and said recipient; and an authenticator functioning as a non-interested third party with respect to the sender and the receiver and having (1) means for associating said dispatch-related information with said element a1 by generating authentication-information comprising a representation of at least said elements a1, a2 and a3, said representation comprising a set of one or more elements, each comprising a representation of one or more elements of said set A; and (2) means for securing at least part of said authentication-information against tampering of said sender and recipient; wherein at least one of the means for associating and for securing comprises means for generating a new set B, said set B comprising one or more information elements b1, . . . bm, each element bi comprising a representation of a subset Si, said representation being expressive as a function Fi of the elements of said subset Si, where said subset Si comprises a digital representation of at least one element of said set A, and where said functions Fi can be different.
 2. Apparatus according to claim 1, wherein said element a2 comprises at least one element selected from the group consisting of the date associated with said dispatch, and the time associated with said dispatch.
 3. Apparatus according to claim 1 or 2, wherein said dispatch-related information comprises at least one element selected from the group consisting of a delivery indication associated with said dispatch, the number of pages transmitted, page numbers, an indication of identification associated with said sender, an indication of identification associated with said recipient, said dispatch duration, integrity information, an indication of dispatch identification associated with said dispatch, an indication of identification associated with said apparatus, a heading message, and a trailing message.
 4. Apparatus according to claim 1, wherein the elements of said authentication-information have a form selected from the group consisting of the following forms: a paper document, microfiche and electronic information, and where each of said elements can have different form.
 5. Apparatus according to claim 1, wherein said element a1 is provided from the sender by electronic means.
 6. Apparatus according to claim 1, wherein said authentication-information comprises a representation of at least part of said new set B.
 7. Apparatus according to claim 5, wherein said electronic means comprises a combination of at least one of the following: a communication network, a scanning device, a dispatcher, and a computer.
 8. Apparatus according to claim 1 or 7, wherein said dispatcher comprises at least one element selected from the group consisting of a facsimile machine, a modem, a network interface card (NIC), a computer, a communication line, a communication network, an E-Mail system, an EDI system, and a message transmission forwarding service.
 9. Apparatus according to claim 1, comprising means for authenticating the identity of at least one member selected from the group consisting of said sender, said recipient, an agent of said sender, and an agent of said recipient.
 10. Apparatus according to claim 1, comprising means for providing said dispatched information to said dispatcher for electronic transmission to said recipient.
 11. Apparatus according to claim 1 wherein the apparatus is combined in whole or in part with said dispatcher.
 12. Apparatus according to claim 1, and comprising means for generating selected elements of said set A.
 13. Apparatus according to claim 1, wherein said element a3 comprises at least one element selected from the group consisting of an address associated with said dispatch, an address associated with said recipient, and an indication of identification associated with said recipient.
 14. Apparatus according to claim 3, wherein said delivery indication comprises an indication of identification associated with said recipient.
 15. Apparatus according to claim 1, comprising means for providing an output comprising a representation of at least part of said authentication-information.
 16. Apparatus according to claim 1, wherein said means for securing comprises secure storage means for storing at least part of said authentication-information.
 17. Apparatus according to claim 1, wherein at least one member selected from the group consisting of said function Fi and at least one information element of said new set B, is unknown at least to said sender.
 18. Apparatus according to claim 1 or 17, wherein said new set B comprises a verifiable digital signature of said subset Si.
 19. Apparatus according to claim 18, comprising a corresponding verification means for said verifiable digital signature, for authenticating at least one of the following: at least one element of said subset Si, and the originator of said digital signature.
 20. Apparatus according to claim 1, or 13, wherein said set A comprises a link information element through which other elements selected from the group consisting of said set A and the authentication-information are linked.
 21. Apparatus according to claim 1, wherein said function Fi has the property that it is substantially difficult to find a set S′ comprising at least one information element, said set S′ being different from said subset Si and yet can be used instead, such that applying said function Fi to said set S′ will yield said element bi, i.e., such that Fi(S′)=bi.
 22. Apparatus according to claim 1, wherein said function Fi comprises at least one reversible function, comprising means for generating a set C which comprises one or more information elements c1, . . . , ck, where said set C is expressive as a function I of at least part of said information element bi, and said function I comprising the inverse function of said reversible function .
 23. Apparatus according to claim 1, comprising means for verifying the authenticity of an information element asserted to match a corresponding element of said set A, said verification means comprising means for comparing a representation of said information element asserted with a representation of at least part of said authentication-information to determine if they match.
 24. Apparatus according to claim 1, comprising means for verifying the authenticity of a set Si′ comprising one or more information elements which are asserted to match the corresponding elements of said subset Si, said verification means comprising: means for generating a new information element bi′ comprising a representation of said set Si′ which is expressive as said function Fi of the elements of said set Si′; and means for comparing a representation of said element bi′ with a representation of said element bi to determine if they match.
 25. Apparatus according to claim 1, wherein said function Fi comprises one or more functions.
 26. Apparatus according to claim 18, wherein said digital signature is generated according to a scheme selected from the group consisting of secret-key (symmetric) cryptosystems and public-key cryptosystems.
 27. Apparatus according to claim 1, wherein said new set B comprises an element generated according to a Time Stamping Service scheme.
 28. Apparatus according to claim 1, wherein the means for associating is combined with the means for securing.
 29. Apparatus according to claim 1, wherein said apparatus is associated with a party other than said sender, or is resistant to or indicative of tampering by at least said sender.
 30. A method for authenticating that certain information has been transmitted from a sender via a dispatcher to a recipient, comprising the steps of: providing a set A comprising a plurality of information elements a1, . . . , an, where said information element a1 is originated from the sender and comprising the contents of the information being electronically transmitted to said recipient, and said one or more information elements a2, . . . , an comprising dispatch-related information and comprise at least the following elements: a2—a time indication associated with said dispatch; and a3—information describing the destination of said dispatch, and wherein at least said information element a2 is provided in a manner that is resistant to or indicative of tampering by either of said sender and said recipient; associating, by an authenticator functioning as a non-interested third party with respect to the sender and the recipient, said dispatch-related information with said element a1 by generating authentication-information comprising a representation of at least said elements a1, a2 and a3, said representation comprising a set of one or more elements, each comprising a representation of one or more elements of said set A; and securing, by said authenticator, at least part of said authentication-information against tampering of said sender and recipient; wherein at least one of the steps of associating and securing comprises the step of generating a new set B, said set B comprising one or more information elements b1, . . . , bm, each element bi comprising a representation of a subset Si, said representation being expressive as a function Fi of the elements of said subset Si, where said subset Si comprises a digital representation of at least one element of said set A, and where said A functions Fi can be different.
 31. A method according to claim 30, wherein said dispatch-related information comprises at least one element selected from the group consisting of a delivery indication associated with said dispatch, the number of pages transmitted, page numbers, an indication of identification associated with said sender, an indication of identification associated with said recipient, said dispatch duration, integrity information, an indication of dispatch identification associated with said dispatch, an indication of identification associated with said authenticator, a heading message, and a trailing message.
 32. A method according to claim 30, comprising the step of authenticating the identity of at least one member selected from the group consisting of said sender, said recipient, an agent of said sender, and an agent of said recipient.
 33. A method according to claim 30, wherein the elements of said authentication-information have a form selected from the group consisting of the following forms: a paper document, microfiche and electronic information, and where each of said elements can have different form.
 34. A method according to claim 30, wherein said element a1 is provided from the sender by electronic means.
 35. A method according to claim 34, wherein said electronic means comprises a combination of at least one of the following: a communication network, a scanning device, a dispatcher, and a computer.
 36. A method according to claim 30 or 35, wherein said dispatcher comprises at least one element selected from the group consisting of a facsimile machine, a modem, a network interface card (NIC), a computer, a communication line, a communication network, an E-Mail system, an EDI system, and a message transmission forwarding service.
 37. A method according to claim 30, wherein said authentication-information comprises a representation of at least part of said new set B.
 38. A method according to claim 30, comprising the step of providing said dispatched information to said dispatcher for electronic transmission to said recipient.
 39. A method according to claim 30, wherein said element a2 comprises at least one element selected from the group consisting of the date associated with said dispatch, and the time associated with said dispatch.
 40. A method according to claim 30, comprising the step of generating selected elements of said set A.
 41. A method according to claim 30, wherein said element a3 comprises at least one element selected from the group consisting of an address associated with said dispatch, an address associated with said recipient, and an indication of identification associated with said recipient.
 42. A method according to claim 31, wherein said delivery indication comprises an indication of identification associated with said recipient.
 43. A method according to claim 30, comprising the step of electronically transmitting said dispatched information to said recipient.
 44. A method according to claim 30, comprising the step of providing an output comprising a representation of at least part of said authentication-information.
 45. A method according to claim 44, wherein said step of providing an output provides said output to a party selected from the group consisting of said sender, said recipient, an arbitrator, and a legal authority.
 46. A method according to claim 30, wherein the step of securing stores at least part of said authentication-information in a secure storage device.
 47. A method according to claim 30, wherein at least one member selected from the group consisting of said function Fi, and at least one information element of said new set B, is unknown at least to said sender.
 48. A method according to claim 30 or 47, wherein said new set B comprises a verifiable digital signature of said subset Si.
 49. A method according to claim 48, comprising a corresponding verification step for said verifiable digital signature, for authenticating at least one of the following: at least one element of said subset Si, and the originator of said digital signature.
 50. A method according to claim 30, or 41, wherein said set A comprises a link information element through which other elements selected from the group consisting of said set A and the authentication-information are linked.
 51. A method according to claim 30, wherein said function Fi has the property that it is substantially difficult to find a set S′ comprising at least one information element, said set S′ being different from said subset Si and yet can be used instead, such that applying said function Fi to said set S′ will yield said element bi, i.e., such that Fi(S′)=bi.
 52. A method according to claim 30, wherein said function Fi comprises at least one reversible function, comprising the step of generating a set C which comprises one or more information elements c1, . . . , ck, where said set C is expressive as a function I of at least part of said information element bi, and said function I comprising the inverse function of said reversible function.
 53. A method according to claim 30, comprising the step of verifying the authenticity of an information element asserted to match a corresponding element of said set A, said verification step comprising the step of comparing a representation of said information element asserted with a representation of at least part of said authentication-information to determine if they match.
 54. A method according to claim 30, comprising the step of verifying the authenticity of a set Si′ comprising one or more information elements which are asserted to match the corresponding elements of said subset Si, said verification step comprising the steps of: generating a new information element bi′ comprising a representation of said set Si′ which is expressive as said function Fi of the elements of said set Si′; and comparing a representation of said element bi′ with a representation of said element bi to determine if they match.
 55. A method according to claim 30, wherein said function Fi comprises one or more functions.
 56. A method according to claim 48, wherein said digital signature is generated according to a scheme selected from the group consisting of secret-key (symmetric) cryptosystems and public-key cryptosystems.
 57. A method according to claim 30, wherein said new set B comprises an element generated according to a Time Stamping Service scheme.
 58. A method according to claim 30, wherein the step of associating is combined with the step of securing.
 59. A method according to claim 30, wherein the activities described by said steps are being performed by an authenticator, said authenticator being associated with a party other than said sender.
 60. A method of authenticating a dispatch and contents of the dispatch transmitted from a sender to a recipient, comprising the steps of: receiving content data representative of the contents of the dispatch originated from the sender and being electrically transmitted to said recipient, and a destination of the dispatch; providing an indicia relating to a time of transmission of the dispatch, said time related indicia being provided in a manner resistant to or indicative of tampering by either of the sender and the recipient; associating, by an authenticator functioning as a non-interested third party with respect to the sender and the recipient, the content data with dispatch record data which includes at least said time related indicia and an indicia relating to the destination of the dispatch, to generate authentication data which authenticate the dispatch and the contents of the dispatch; and securing, by said authenticator, at least part of the authentication data against tampering of the sender and the recipient; wherein at least one of the steps of associating and securing utilizes mathematical association methods for a selected portion of a combination of the content data and the dispatched record data.
 61. A method according to claim 60, further including the step of transmitting the contents of the dispatch to the recipient.
 62. A method according to claim 60, further including the step of providing an output of at least part of the authentication data.
 63. A method according to claim 60, wherein the mathematical association methods utilize at least one transform function from a Hiding Class of transform functions.
 64. A method according to claim 60, wherein the mathematical association methods include a method of generating a digital signature.
 65. A method according to claim 60, wherein the step of providing the time related indicia includes receiving the time related indicia from an external source.
 66. A method according to claim 60, wherein the step of providing the time related indicia includes generating the time related indicia.
 67. A method according to claim 60, wherein the step of securing stores at least part of the authentication data in a secure storage device.
 68. A method according to claim 60, wherein the step of associating is combined with the step of securing.
 69. A method according to claim 60, wherein the authentication data further includes a delivery indicia relating to said dispatch.
 70. A method according to claim 60, where the activities described by said steps are being performed by an authenticator, said authenticator being associated with a party other than said sender.
 71. An authenticator for authenticating a dispatch and contents of the dispatch transmitted by or for a sender-from a transmitting system to a receiving system for a recipient via an electronic communication network, comprising: an input unit coupled to the communication network or to the transmitting system for receiving content data representative of the contents of the dispatch being electronically transmitted to said receiving system, and a destination of the dispatch; means for providing an indicia relating to a time of transmission of the dispatch, said time related indicia being provided in a manner resistant to or indicative of tampering by either of the sender and the recipient; a processor for associating the content data with dispatching record data which includes at least said time related indicia and an indicia relating to the destination of the dispatcher and the contents of the dispatch; and means for securing at least part of the authentication data against tampering of the sender and the recipient, the authenticator functioning as a non-interested third party with respect to the sender and the recipient; wherein the processor utilizes mathematical association methods for a selected portion of a combination of the content data and the dispatch record data to generate the authentication data.
 72. An authenticator according to claim 71, further including an output transmitter coupled to the communication network for transmitting the contents of the dispatch to the receiving system.
 73. An authenticator according to claim 71, further including an output device for providing an output of at least part of the authentication data.
 74. An authenticator according to claim 71, wherein the processor is combined with the means for securing.
 75. An authenticator according to claim 71, wherein the mathematical association methods utilize at least one transform function from a Hiding Class of transform functions.
 76. An authenticator according to claim 71, wherein the mathematical association methods include a method of generating a digital signature.
 77. An authenticator according to claim 71, wherein the means for providing the time related indicia receives the time related indicia from an external source.
 78. An authenticator according to claim 71, wherein the means for providing the time related indicia generates the time related indicia.
 79. An authenticator according to claim 71, wherein the authentication data further includes a delivery indicia relating to said dispatch.
 80. An authenticator according to claim 71, including a secure storage device for securing at least part of the authentication data.
 81. An authenticator according to claim 71, wherein said authenticator is associated with a party other than said sender, or is resistant to or indicative of tampering by at least said sender.
 82. An information dispatch system in an electronic communication network comprising; a source transmitting system coupled to the electronic communicating network for sending a dispatch from a sender to a recipient; a destination receiving system coupled to the electronic communication network for receiving the dispatch for the recipient; and an authenticator functioning as a non-interested third party with respect to the sender and the recipient for authenticating the dispatch and contents of the dispatch transmitted from the source transmitting system to the destination receiving system, including: (1) an input unit coupled to the communication network or to the source transmitting system for receiving content data representative of the contents of the dispatch being electronically transmitted to said destination receiving system, and a destination of the dispatch; (2) means for providing an indicia relating to a time of transmission of the dispatch, said time related indicia being provided in a manner resistant to or indicative of tampering by either of the sender and the recipient; (3) a processor for associating the content data with dispatch record data which includes at least said time related indicia and an indicia relating to the destination of the dispatch, to generate authentication data which authenticate the dispatch and the contents of the dispatch; and (4) means for securing at least part of the authentication data against tampering of the sender and the recipient; wherein the processor is combined with the means for securing.
 83. An information dispatch system according to claim 82, wherein the authenticator further includes an output device for providing an output of at least part of the authentication data.
 84. An information dispatch system according to claim 82, wherein the processor utilizes mathematical association methods for a selected portion of a combination of the content data and the dispatch record data to generate the authentication data.
 85. An information dispatch system according to claim 82, wherein the means for providing the time related indicia receives the time related indicia from an external source.
 86. An information dispatch system according to claim 82, wherein the means for providing the time related indicia generates the time related indicia.
 87. An information dispatch system according to claim 82, including a secure storage device for securing at least part of the authentication data.
 88. An information dispatch system according to claim 82, wherein the authentication data further includes a delivery indicia relating to said dispatch.
 89. An information dispatch system according to claim 82, wherein said authenticator is associated with a party other than said sender, or is resistant to or indicative of tampering by at least said sender. 